Business email compromise (BEC)

Business email compromise (BEC)

Business email compromise (BEC) attacks are one of the largest cybersecurity risks facing organisations today. In 2018, BEC accounted for 23% of cyber insurance claims received from Europe, the Middle East and Asia according to statistics released by AIG*. Furthermore, BEC has resulted in worldwide losses of at least £21 billion since 2016 according to the FBI in the USA.

This is clearly a very prevalent issue but what is it, how does it work and how can the risk be reduced? 

What is it?

BEC is when an attacker uses compromised email credentials or spoofs a legitimate email address to impersonate an individual in order to trick an employee into either making an electronic payment or providing sensitive data.

How does it work?

A BEC scam will start with the attacker conducting research into your company from your website or other online activity, looking for names and positions of authority within the company that they can impersonate. They may even identify who is not in the office that day through testing emails for automatic ‘out of office’ replies.

Attackers can then attempt to gain access to an email account or spoof the domain of the selected individual. Which would be using an email address like ‘[email protected]’ instead of ‘[email protected]’ to trick the recipient.  An email will then be sent to a selected employee containing a request for money or information.

After researching your company, the attackers are also likely to identify accounting positions to send the requests to or learn and impersonate your suppliers who may request urgent payments to be sent.

What preventative measures can be put in place?

  • Multi-factor authentication: this should be introduced into your IT security policy in order to prevent unauthorised access of emails when an individual may login from a new location.
  • Employee education: you should ensure to train all employees on how to identify fraudulent e-mails. Train them to be aware of urgent money requests that do not follow normal protocol, spelling or grammatical errors and be wary of any communication out of the ordinary for the sender.
  • Minimise financial authorisation: the more individuals that are authorised to process financial transactions increases the chances of someone inadvertently sending funds. Increased training should also be delivered to authorised individuals.
  • Verify payment requests: have a two-step verification process in place for all financial transactions. For example, verification over the phone or in person as well as an email.

What now?

Do you know what you would do if you were to fall victim to BEC incident? A cyber liability insurance policy will provide the services and support to help you deal with the incident and also help mitigate the costs involved.

If you would like further information regarding this or other cyber security risks, then please call 01789 766888 and speak to one of our team who would be happy to help.


RT @TheClearGroup Join @PiPropertyIns’ Trevor Cornbill and Dan Sunley in Nottingham on 28 June for Current Property Issues 2022. 🏡 ➡️ htt…

RT @TheClearGroup Join @PiPropertyIns' Jason Oldham and Alex Bayliss in Southampton today for Current Property Issues 2022, an event by Pr…

RT @TheClearGroup We’re delighted to have Trevor Cornbill and Laura Wilkinson from our @PiPropertyIns team, part of The Clear Group, set t…